UK’s Russia Attribution for NotPetya Upends $100 Million Lawsuit

Nearly a year after the British government formally laid the blame for 2017’s widespread NotPetya malware infections at Moscow’s door, it may not have anticipated one consequence: a twist in a $100 million lawsuit between Mondelez, one of the largest companies damaged by the malware and Zurich, its insurer.

This week Zurich Insurance flatly rejected a $100 million claim by Mondelez: the confectionary giant had sought damages under a provision of its insurance policy that covers “physical loss or damage to electronic data, programs, or software” caused by “the malicious introduction of a machine code or instruction”.

(The company suffered permanent damage to 1,700 of its servers and 24,000 laptops, it said in a court filing on Thursday in Illinois, as the FT reports).

Zurich’s justification? The incident fell under policy exclusion covering “hostile or warlike action in time of peace or war.” (The initial UK statement from Foreign Office Minister Lord Ahmad described it as an “attack [that] masqueraded as a criminal enterprise but its purpose was principally to disrupt.”

The case is being closely watched: numerous insurers are grappling with whether to exclude state-sponsored or terrorist cyberattacks. With state-level hacking tools widely available and attribution increasingly difficult to make, owing to state-sponsored actors making use of third parties and other countries, it’s a clear challenge.

Zurich can refer to a number of official statements by other Western governments describing NotPetya as part of a Russian hostile action against Ukraine. One likely hurdle: no proof that would stand up in a courtroom has been offered to back up the accusation. (As is standard in intelligence-led attributions).

The lawsuit raises the question of whether the claims from official sources should be admissible as evidence, even when they lack substantiation. With nation state-level offensive hacking tools out in the wild and claims being bandied about widely without attribution, cyber insurance is about to get even more complicated.